A method and system for non-repudiation of AIAgent transactions based on TEE and layered blockchain
By generating a signing private key within the TEE and utilizing a hash tree-based batch notarization method based on a layered blockchain architecture, the high cost and latency of AI Agent transaction notarization are resolved. This achieves low-cost, real-time, and non-repudiable notarization, making it suitable for non-repudiable notarization of AI Agent transactions.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- KAIDUOER (GUANGZHOU) CLOUD TECH CO LTD
- Filing Date
- 2026-04-17
- Publication Date
- 2026-07-14
AI Technical Summary
Existing technologies for AI Agent transaction notarization are costly, have long confirmation delays, and are difficult to achieve non-repudiation of hardware root of trust binding at a low cost.
The system generates and stores signature private keys within a Trusted Execution Environment (TEE), combines a layered blockchain architecture, aggregates transaction data in batches through a hash tree, uploads only the root hash to the chain, ensures immutability through the on-chain evidence storage layer, and stores the original evidence off-chain, thus achieving non-repudiation and low-cost evidence storage.
It significantly reduces the cost of evidence preservation, shortens the confirmation time, provides hardware-level non-repudiation, meets the real-time requirements of high-frequency trading, and has judicial effect.
Smart Images

Figure CN122390744A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the fields of blockchain evidence storage and trusted computing technology. Specifically, it relates to a method and system for non-repudiation evidence storage of the autonomous transaction behavior of artificial intelligence (AI) agents by combining a trusted execution environment (TEE) with a blockchain layered evidence storage architecture. Background Technology
[0002] After executing transactions such as procurement and payment, AI agents need to retain legally valid and immutable evidence for auditing and dispute arbitration. Existing evidence storage solutions suffer from the following technical deficiencies:
[0003] The lack of trust in centralized evidence storage: Traditional procurement systems centrally store logs in databases or files, which can be easily tampered with by administrators or attackers, resulting in a generally low acceptance rate of judicial appraisals.
[0004] Full on-chain costs are high and latency is significant: Submitting the complete data or hash of each transaction directly to the public chain incurs high fees and confirmation delays, making it difficult to meet the real-time and economic requirements of high-frequency trading scenarios.
[0005] Insufficient security of private key storage: If the signing private key of the AI Agent is stored in ordinary memory or persistent storage, it is vulnerable to attacks such as memory dump, cold start, and theft by malware. Attackers can forge digital signatures, making it impossible to determine the true initiator of the operation, that is, the non-repudiation of the operation is lacking.
[0006] To address the issues of cost and efficiency in blockchain-based evidence storage, layered blockchain architecture solutions have emerged in existing technologies. For example, CN 121193807 A discloses a method for distributed edge caching of transactions and verification, employing a layered hybrid chain architecture consisting of edge light chains and the main chain. However, this solution primarily targets edge caching transaction scenarios, and its layering aims to improve blockchain scalability. It does not address hardware-level security protection of private keys in AI Agent transaction scenarios, nor does it propose an evidence storage architecture that balances judicial validity and cost control, combining on-chain hashing with off-chain original text.
[0007] Therefore, there is an urgent need for an AIAgent transaction evidence storage solution that can guarantee judicial non-repudiation while also taking into account low cost and real-time performance. Summary of the Invention
[0008] Technical problems to be solved
[0009] The present invention aims to solve the technical problems of high transaction evidence storage costs, long confirmation delays, and difficulty in achieving operational non-repudiation with strong legal effect that is bound to hardware root of trust at low cost in the existing AI Agent technology.
[0010] Technical solution
[0011] To achieve the above objectives, this invention provides a non-repudiation notarization method for AI Agent transactions based on TEE and layered blockchain, comprising the following steps:
[0012] Step S1: TEE Intrinsic Key and Signature Generation Within a secure area running in a Trusted Execution Environment (TEE), the AI Agent generates and permanently stores its signature private key, which is not visible outside the TEE. When the Agent initiates a transaction, it constructs transaction evidence data TxData. The Agent then calls the TEE's internal signature interface to sign the hash value of TxData using the private key, generating a digital signature Sig.
[0013] Step S2: Evidence storage server verification and processing The evidence storage server receives the TxData and Sig submitted by the Agent or the trading platform, and first verifies the validity of Sig. After successful verification, it generates a complete evidence package Hash_full = Hash(TxData || Sig).
[0014] Step S3: Hierarchical evidence storage based on hash tree The evidence storage server collects multiple complete evidence packages within a predetermined number or time window, constructs a hash tree, and calculates the root hash Merkle_Root. The Merkle_Root, along with metadata such as timestamps and batch identifiers, is packaged and submitted to the first-layer on-chain evidence storage layer. Simultaneously, all original evidence packages (TxData, Sig) and their corresponding hash tree proof paths are stored in the second-layer off-chain evidence storage layer.
[0015] Step S4: Evidence Retention and Association The root hash and the identifier of the block to which it belongs are stored in the on-chain evidence storage record; the on-chain batch identifier to which it belongs and the leaf node index in the hash tree are stored in the metadata of the off-chain evidence storage record.
[0016] Step S5: Verification and Evidence Collection In response to the verification request, the original evidence package of the target transaction and its proof path are obtained from the off-chain evidence storage layer. The hash path is verified using the root hash publicly disclosed by the on-chain evidence storage layer, and the matching of the digital signature and the AI Agent public key is verified at the same time.
[0017] Beneficial effects
[0018] Compared with the prior art, the present invention has the following beneficial effects:
[0019] Significantly reduced evidence storage costs: By batch aggregating data onto the blockchain using hash trees, the evidence storage requirements for multiple transactions are compressed into a single on-chain transaction. Compared to storing each transaction on the blockchain individually, the overall evidence storage cost for a single transaction can be reduced by more than 80%.
[0020] High real-time performance of evidence storage and confirmation: By placing a large amount of data off-chain and only putting the hash root on-chain, combined with high-performance sidechains or consortium chains, the evidence storage and confirmation time can be shortened to the second level, meeting the real-time requirements of high-frequency transactions.
[0021] It features hardware-level non-repudiation: The AI Agent's signature private key is generated inside the TEE and is never exported. It is computationally impossible for attackers to steal the private key or forge the signature, thus providing non-repudiation evidence of operation bound to the hardware device for each transaction.
[0022] Balancing judicial validity with storage economy: On-chain hashes ensure global immutability, while off-chain original texts ensure data traceability, greatly reducing on-chain storage and computing costs while meeting judicial evidence collection requirements. Attached Figure Description
[0024] Figure 1 This is a diagram of the overall architecture of the layered evidence storage of this invention, showing the interaction between the TEE, the evidence storage server, the on-chain blockchain layer, and the off-chain storage layer.
[0025] Figure 2 This is a flowchart of the batch evidence storage process of the hash tree of the present invention, which shows the process from collecting evidence packages to calculating the root hash and storing it on the chain and off the chain respectively.
[0026] Figure 3 This is a flowchart of the evidence verification and report generation process for this invention, showing the complete process from verification request to output verification report. Detailed Implementation
[0028] To make the objectives, technical solutions, and advantages of this invention clearer, the invention will be described in detail below with reference to the accompanying drawings and specific embodiments.
[0029] Example 1
[0030] Reference Figure 1The layered evidence storage architecture shown in this embodiment uses a computing instance supporting TEE (e.g., an Alibaba Cloud g7t series cloud server with Intel SGX enabled) to run the AI Agent program. The AI Agent's signing private key is generated within the Enclave (secure area) using the ECDSA algorithm (secp256k1 curve), and the private key never leaves the Enclave. The transaction evidence storage data TxData for each purchase transaction includes: order ID (UUID), Unix timestamp, Agent decentralized identity (DID, e.g., did:example:123), supplier DID (e.g., did:example:456), SHA-256 hash value of the purchase details, and transaction amount (USD). The Agent calls the Enclave signing interface to sign the Hash(TxData) and generate a digital signature Sig.
[0031] The evidence storage server is deployed on an enterprise cloud server and receives (TxData, Sig) submitted by the Agent via the gRPC protocol. The server first verifies the validity of the signature (using the Agent's public key), and after successful verification, calculates the complete evidence packet Hash_full = SHA256(TxData || Sig).
[0032] Reference Figure 2 The flowchart shown illustrates the batch evidence storage process using a hash tree. The evidence storage server is configured with a batch aggregation strategy: batch evidence storage is triggered every 100 accumulated transactions, or every 10 minutes (whichever comes first). The server collects all complete evidence packets (Hash_full) within the batch as leaf nodes, constructs a Merkle tree, and calculates the root hash (Merkle_Root).
[0033] The on-chain evidence storage layer uses the evidence storage service of a compliant domestic consortium blockchain (such as Chang'an Chain). The evidence storage server packages the Merkle_Root along with metadata such as batch ID and timestamp into a transaction, submits it to the consortium blockchain, and uploads it to the blockchain after consensus. In the test environment of this embodiment, the on-chain transaction fee for each batch is approximately RMB 0.1, which translates to a single evidence storage cost of RMB 0.001, and the block generation time is approximately 1 second.
[0034] The off-chain evidence storage layer uses the enterprise's self-built MinIO object storage (a private cloud storage system). The evidence storage server serializes each complete evidence package (TxData, Sig) and its proof path in the Merkle tree (i.e., the sibling node hash values required from the leaf node to the root node) into JSON format, stores it in MinIO, and generates a unique HTTP access URL for each piece of data. At the same time, the stored metadata records the on-chain batch identifier (batchId) to which the evidence package belongs and the leaf node index (indexInTree) in the Merkle tree.
[0035] Reference Figure 3 The flowchart shown illustrates the evidence verification and report generation process. When a third-party verification agency (or auditor) receives a verification request for an order (e.g., based on the order ID), the following verification process is executed:
[0036] Retrieve the original evidence package (TxData, Sig) of the target transaction and its Merkle proof path from the off-chain MinIO storage based on the order ID.
[0037] Obtain the on-chain evidence record corresponding to the batchId from the consortium blockchain to get the Merkle root hash.
[0038] The verification agency calculates the hash value of (TxData, Sig) and uses the obtained Merkle proof path to cryptographically verify whether this hash value can ultimately be calculated to a value consistent with the on-chain root hash. If they are consistent, it proves that the evidence package has not been tampered with since it was stored.
[0039] At the same time, it verifies whether the digital signature Sig matches the public key declared in the Agent DID to confirm that the transaction was indeed signed by the Agent's private key.
[0040] (Optional Step) To enhance the credibility of hardware trust, the authentication agency can also initiate TEE remote authentication through Intel IAS (Intel Attestation Service) to verify the identity and metric of the AI Agent's Enclave, thereby proving that the signing private key is indeed running in a real and tamper-proof TEE environment.
[0041] Ultimately, the verification agency generates a comprehensive verification report that includes on-chain transaction hashes, block height, signature verification results, and remote proof reports (if any). This report meets the technical requirements for the authenticity of electronic evidence under the Electronic Signature Law and the Rules for Online Litigation of People's Courts, and has the technical basis for being accepted by judicial appraisal institutions.
[0042] Test Results: In the test environment of this embodiment, 100 simulated purchase orders were stored and verified, and all passed. The average time for a single signature was 8 milliseconds, the average time for remote verification was 30 milliseconds, and the entire verification process (excluding network transmission) took less than 100 milliseconds.
[0043] The above description is merely a preferred embodiment of the present invention and is not intended to limit the present invention. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the protection scope of the present invention.
Claims
1. A non-repudiation notarization method for AI Agent transactions based on TEE and layered blockchain, characterized in that, include: The AI Agent's signature private key is generated and stored based on the Trusted Execution Environment (TEE), and a digital signature is generated on the transaction evidence data using the private key within the TEE. The transaction evidence data and the digital signature are sent to the evidence storage server. The evidence storage server receives the transaction evidence storage data and the digital signature, verifies the signature, and generates a complete evidence package. Construct a hash tree, using the multiple complete evidence packets as leaf node values, and calculate the root hash; The root hash is submitted to the first-layer blockchain evidence storage layer for evidence storage, and the complete evidence package and its proof path in the hash tree are stored in the second-layer off-chain evidence storage layer. In response to the verification request, the target evidence package and proof path are obtained from the off-chain evidence storage layer and verified in conjunction with the root hash of the on-chain evidence storage layer to confirm the integrity of the evidence and the authenticity of the signature.
2. The method according to claim 1, characterized in that, The TEE is any one of Intel SGX, AMD SEV, or ARM TrustZone; the private key is generated within the secure area of the TEE and is not visible to operating systems and applications outside the TEE.
3. The method according to claim 1, characterized in that, Before constructing the hash tree, the process also includes batch aggregation of the collected complete evidence package based on a preset transaction quantity threshold or time threshold.
4. The method according to claim 1, characterized in that, Also includes: The TEE remote proof protocol provides the verifier with cryptographic proof that the AI Agent's signing private key is indeed running in a real and tamper-proof TEE environment.
5. The method according to claim 1, characterized in that, The evidence storage service is a third-party platform independent of the AI Agent; the on-chain evidence storage layer is a sidechain of a consortium blockchain or a public blockchain; and the off-chain evidence storage layer is private cloud storage or a distributed file system.
6. A non-repudiation notarization system for AI Agent transactions based on TEE and layered blockchain, characterized in that, Used to perform the method according to any one of claims 1 to 5.